search

ory / hydra

The most scalable and customizable OpenID Certified™ OpenID Connect and OAuth Provider on the market. Become an OpenID Connect and OAuth2 Provider over night. Broad support for related RFCs. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
15.66k stars 1.5k forks source link

janitor is not cleaning up the expired access_tokens generated using client_credentials flow #3784

Closed sagarshah1983 closed 3 months ago

sagarshah1983 commented 5 months ago

Preflight checklist

Ory Network Project

No response

Describe the bug

We are using hydra 2.2.0 and we are noticing growth in table hydra_oauth2_access table.

After looking up further, we found that even when we run janitor command, its not cleaning up the tokens from hydra_oauth2_access table even though those are expired (we are using default hydra level expiry for the access tokens as 30m and there's no client specific expiry being set up), which were generated and issued to a client using client_credentials workflow.

Reproducing the bug

  1. Start Hydra Container
  2. Set up a client with client_credentials with access token expiry for shorter timeframe (30 min)
  3. Request a token using client_credentials grant
  4. Verify the record exists in hydra_oauth2_access table
  5. After token is expired, validate that token introspection response indicates active:false
  6. Verify that the record still exist in hydra_oauth2_access table
  7. Call janitor command as described in documentation with --tokens parameter (https://www.ory.sh/docs/hydra/cli/hydra-janitor)

Expected behavior: Expired tokens should be deleted from database table. Actual behavior: Expired tokens still remain in the table.

Relevant log output

No response

Relevant configuration

No response

Version

2.2.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker

Additional Context

Related link: #3781

mig5 commented 4 months ago

Seems to me that the janitor command only runs on 10,000 rows at a time. I had over 30,000 rows in my hydra_oauth2_access table (also running Hydra 2.2.0) and I had to run the command several times to completely purge expired tokens. I wonder if this was your issue - are you definitely not seeing any deletions, or you're just seeing old ones that haven't yet been purged due to the 10,000 limit?

sagarshah1983 commented 4 months ago

Hello @mig5 , Thanks for providing these details. I think it required us to run janitor command multiple times as well to clear up all the tokens. We had over million records and we were running janitor only daily. We can close on this issue. I have just one question for now. By any chance, these limit of 10000 is configurable or noted in documentation?

alnr commented 3 months ago

I don't think this is configurable ATM.